ThreatExpert Report: Trackware.Baigoo, BHO.Win32.Baigoo, Adware-Baigoo..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 7 September 2012, 09:41:24
Processing time: 8 min 48 sec
Submitted sample:

File MD5: 0xB251231A9FD29C6166D2AE207EB6972A
File SHA-1: 0x583AABEED16AC3847E8506A652C750702E807F11
Filesize: 193,732 bytes
Alias & packer info:

Trackware.Baigoo [Symantec]
BHO.Win32.Baigoo [Ikarus]
packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Baigoo	Adware.Baigoo is a Browser Helper Object which displays pop-up advertisements and downloads additional malware onto the infected PC.

Attention! The following threat category was identified:

Threat Category	Description
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\baigoo\BGooBHO.dll	28,672 bytes	MD5: 0x60F946FF6ED0F376E0F2B2E253E57799 SHA-1: 0x17B52EF8C4568F6AF0F53C7B27A8B5A2737497EB	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] BrowserModifier:Win32/Baigoo [Microsoft] BHO.Win32.Baigoo [Ikarus]
2	%ProgramFiles%\baigoo\bgoocfg.ini	225 bytes	MD5: 0x9D10272323E88DEC516745BBAD25E732 SHA-1: 0x3FA698CDDED7C0989824681CC590B8CA1F0BD051	(not available)
3	%ProgramFiles%\baigoo\bgooex.dll	90,112 bytes	MD5: 0xFE7415501CEDD0F4F963A93E0E96290A SHA-1: 0x82EF5534615D63454F27607E54F3A5886F632754	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] AdWare.Win32.Boran.i [Ikarus]
4	%ProgramFiles%\baigoo\BGooHK.dll	28,672 bytes	MD5: 0x283756D6CE570E6A3D501EB7C392CB26 SHA-1: 0x266B0B8EC06E6A4824449328F52A376FFDAED3C1	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] Mal/Generic-L [Sophos] BrowserModifier:Win32/Baigoo [Microsoft] BHO.Win32.Baigoo [Ikarus]
5	%ProgramFiles%\baigoo\bgook.dll	94,208 bytes	MD5: 0x59FFB8779127D99F2B53F497DA59FAA6 SHA-1: 0x1095B4BE27798F235AA86AD5A10F21B4693A4A8F	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] Mal/Generic-L [Sophos] AdWare.Boran.I.11 [Ikarus]
6	%ProgramFiles%\baigoo\bgoomain.exe	20,480 bytes	MD5: 0x6868178DD3C2A2276380D514FB9126F6 SHA-1: 0x209295A7B9E5F560C1E1593EFB6A6BD512D97E0B	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] Mal/Generic-L [Sophos] BrowserModifier:Win32/Baigoo [Microsoft] Virus.Win32.AdWare [Ikarus]
7	%ProgramFiles%\baigoo\plugin\bgoobar\band.ini	6,533 bytes	MD5: 0xBB85D74AED636396FB75CF552BA33488 SHA-1: 0xB95D47D347740B4717F6561E81C8D4E53A780B4D	(not available)
8	%ProgramFiles%\baigoo\plugin\bgoobar\bgoobar.dll	225,280 bytes	MD5: 0xBC3FF82AB2513F157983520D25869473 SHA-1: 0x63DAF99597F986BE5DDF50BB67D3D50F6AA922D9	Trackware.Baigoo [Symantec] Adware-Baigoo [McAfee] Mal/Generic-L [Sophos] BrowserModifier:Win32/Baigoo [Microsoft] BHO.Win32.Baigoo [Ikarus] Win-Trojan/Xema.variant [AhnLab]
9	%ProgramFiles%\baigoo\plugin\bgoobar\plugin.ini	411 bytes	MD5: 0xC4C1FB78E7B1D24E7775A06CB56F3DDB SHA-1: 0xD833B063A7B5A948EAEE8F83DDCF77AD9508C633	(not available)
10	%ProgramFiles%\baigoo\uninst.exe	22,006 bytes	MD5: 0x77A07AD3B0CF090C27A60CF53F1E9586 SHA-1: 0xA70A5558983C76D919CE728A2A6DFB8E022733CB	Heuristic.ADH [Symantec] Generic PUP.z!dq [McAfee] packed with UPX [Kaspersky Lab]
11	[file and pathname of the sample #1]	193,732 bytes	MD5: 0xB251231A9FD29C6166D2AE207EB6972A SHA-1: 0x583AABEED16AC3847E8506A652C750702E807F11	Trackware.Baigoo [Symantec] BHO.Win32.Baigoo [Ikarus] packed with UPX [Kaspersky Lab]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%ProgramFiles%\baigoo
%ProgramFiles%\baigoo\plugin
%ProgramFiles%\baigoo\plugin\bgoobar

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	200,704 bytes
bgoomain.exe	%ProgramFiles%\baigoo\bgoomain.exe	20,480 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7905958A-18C2-4139-9957-AE6F2B754818}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7905958A-18C2-4139-9957-AE6F2B754818}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C893032-1E26-4409-BA26-ED6C6007DCA6}
HKEY_LOCAL_MACHINE\SOFTWARE\baigoo
HKEY_LOCAL_MACHINE\SOFTWARE\baigoo\Coop
HKEY_LOCAL_MACHINE\SOFTWARE\baigoo\Update

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7905958A-18C2-4139-9957-AE6F2B754818}\InprocServer32]

(Default) = "%ProgramFiles%\baigoo\bgooex.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7905958A-18C2-4139-9957-AE6F2B754818}]

(Default) = "BaiGooEx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\VersionIndependentProgID]

(Default) = "BGooBHO.Status"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\TypeLib]

(Default) = "{690E010B-042A-4973-87A8-485DEB8BDF68}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\ProgID]

(Default) = "BGooBHO.Status.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}\InprocServer32]

(Default) = "%ProgramFiles%\baigoo\BGooBHO.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}]

(Default) = "Status Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\TypeLib]

(Default) = "{690E010B-042A-4973-87A8-485DEB8BDF68}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}]

(Default) = "IStatus"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\TypeLib]

(Default) = "{4A8976FE-144E-4742-8E49-D6CD3B140FD1}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}]

(Default) = "IAxObj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\0\win32]

(Default) = "C:\PROGRA~1\baigoo\bgooex.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\HELPDIR]

(Default) = "C:\PROGRA~1\baigoo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}\1.0]

(Default) = "BHOOBJLib"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\0\win32]

(Default) = "%ProgramFiles%\baigoo\BGooBHO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\baigoo\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}\1.0]

(Default) = "BGooBHO 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update\CurVer]

(Default) = "BaiGooEx.Update.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update\CLSID]

(Default) = "{7905958A-18C2-4139-9957-AE6F2B754818}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update]

(Default) = "BaiGooEx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update.1\CLSID]

(Default) = "{7905958A-18C2-4139-9957-AE6F2B754818}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update.1]

(Default) = "BaiGooEx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status\CurVer]

(Default) = "BGooBHO.Status.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status\CLSID]

(Default) = "{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status]

(Default) = "Status Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status.1\CLSID]

(Default) = "{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status.1]

(Default) = "Status Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}]

(Default) = "bg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

bgoomain.exe = "C:\PROGRA~1\baigoo\bgoomain.exe"

so that bgoomain.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C893032-1E26-4409-BA26-ED6C6007DCA6}]

DisplayName = "???????"
UninstallString = "%ProgramFiles%\baigoo\uninst.exe"
DisplayIcon = "%ProgramFiles%\baigoo\uninst.exe"
URLInfoAbout = "http://www.baigoo.com"
Publisher = "BAIGOO.COM"

[HKEY_LOCAL_MACHINE\SOFTWARE\baigoo\Update]

band.ini = "1.0.2.1001"

[HKEY_LOCAL_MACHINE\SOFTWARE\baigoo\Coop]

PrePartner = "F_hero"
PartnerName = "F_hero"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

{4F132D15-5FF8-4d31-802F-7FC88677B58F}
BaiGooAutoUpdateMutexIni
BaiGooRegisterUserMutex
oleacc-msaa-loaded

The following Host Name was requested from a host database:

192.5.5.241

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

C:\PROGRA~1\baigoo\bgoohk.dll
%ProgramFiles%\baigoo\bgoohk.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.